RC1 and 'detectnets' option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1089 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-01-23 23:48:30 +00:00
parent 22df211052
commit 2e80e459bb
9 changed files with 73 additions and 12 deletions

View File

@ -3,3 +3,10 @@ Changes since 1.4.9
1) Implement destination list in masq file. 1) Implement destination list in masq file.
2) Appled Frédéric LESPEZ's patch for packet marking by user/group id. 2) Appled Frédéric LESPEZ's patch for packet marking by user/group id.
3) Correct column headings in action.template
4) Handle IPV6 addresses correctly with ADD_IP_ALIASES=Yes or
ADD_SNAT_ALIASES=Yes.
5) Implement "detectnets" option.

View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.9 VERSION=1.4.10-RC1
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -564,11 +564,21 @@ determine_hosts() {
eval interfaces=\$${zone}_interfaces eval interfaces=\$${zone}_interfaces
for interface in $interfaces; do for interface in $interfaces; do
if [ -z "$hosts" ]; then eval options=\$`chain_base ${interface}`_options
hosts=$interface:0.0.0.0/0
if list_search detectnets $options; then
subnets=`get_routed_subnets $interface`
else else
hosts="$hosts $interface:0.0.0.0/0" subnets=0.0.0.0/0
fi fi
for subnet in $subnets; do
if [ -z "$hosts" ]; then
hosts=$interface:$subnet
else
hosts="$hosts $interface:$subnet"
fi
done
done done
interfaces= interfaces=
@ -611,6 +621,8 @@ validate_zone() # $1 = zone
# Validate the zone names and options in the interfaces file # Validate the zone names and options in the interfaces file
# #
validate_interfaces_file() { validate_interfaces_file() {
local wildcard
while read z interface subnet options; do while read z interface subnet options; do
expandv z interface subnet options expandv z interface subnet options
r="$z $interface $subnet $options" r="$z $interface $subnet $options"
@ -628,10 +640,15 @@ validate_interfaces_file() {
list_search $interface $all_interfaces && \ list_search $interface $all_interfaces && \
startup_error "Duplicate Interface $interface" startup_error "Duplicate Interface $interface"
wildcard=
case $interface in case $interface in
*:*) *:*)
startup_error "Invalid Interface Name: $interface" startup_error "Invalid Interface Name: $interface"
;; ;;
*+*)
wildcard=Yes
;;
esac esac
all_interfaces="$all_interfaces $interface" all_interfaces="$all_interfaces $interface"
@ -646,6 +663,10 @@ validate_interfaces_file() {
case $option in case $option in
dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|-) dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|-)
;; ;;
detectnets)
[ -n "$wildcard" ] && \
startup_error "The \"detectnets\" option may not be used with a wild-card interface"
;;
dropunclean|logunclean) dropunclean|logunclean)
error_message \ error_message \
"Warning: The 'dropunclean' and 'logunclean' options will be removed in a future release" "Warning: The 'dropunclean' and 'logunclean' options will be removed in a future release"
@ -844,7 +865,7 @@ find_broadcasts() {
for interface in $all_interfaces; do for interface in $all_interfaces; do
eval bcast=\$`chain_base $interface`_broadcast eval bcast=\$`chain_base $interface`_broadcast
if [ "x$bcast" = "xdetect" ]; then if [ "x$bcast" = "xdetect" ]; then
addr="`ip addr show $interface 2> /dev/null`" addr="`ip -f inet addr show $interface 2> /dev/null`"
if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
addr="`echo "$addr" | \ addr="`echo "$addr" | \
grep "inet " | sed 's/^.* inet.*brd //;s/scope.*//'`" grep "inet " | sed 's/^.* inet.*brd //;s/scope.*//'`"
@ -4113,7 +4134,7 @@ add_ip_aliases()
# #
# Get all of the lines that contain inet addresses # Get all of the lines that contain inet addresses
# #
ip addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do ip -f inet addr show $interface 2> /dev/null | grep 'inet' | while read inet cidr rest ; do
case $cidr in case $cidr in
*/*) */*)
if in_subnet $external $cidr; then if in_subnet $external $cidr; then
@ -4817,6 +4838,8 @@ activate_rules()
echo "$FW $zone $chain1" >> ${STATEDIR}/chains echo "$FW $zone $chain1" >> ${STATEDIR}/chains
echo "$zone $FW $chain2" >> ${STATEDIR}/chains echo "$zone $FW $chain2" >> ${STATEDIR}/chains
need_broadcast=
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%:*} interface=${host%:*}
subnet=${host#*:} subnet=${host#*:}
@ -4834,6 +4857,14 @@ activate_rules()
[ -n "$complex" ] && \ [ -n "$complex" ] && \
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
if ! list_search $interface $need_broadcast ; then
eval options=\$`chain_base ${interface}`_options
list_search detectnets $options && need_broadcast="$need_broadcast $interface"
fi
done
for interface in $need_broadcast ; do
run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1
done done
for zone1 in $zones; do for zone1 in $zones; do

View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.4.9 VERSION=1.4.10-RC1
usage() # $1 = exit status usage() # $1 = exit status
{ {

View File

@ -117,6 +117,13 @@
# interface. The interface must be up # interface. The interface must be up
# when Shorewall is started. # when Shorewall is started.
# #
# detectnets - Automatically taylors the zone named
# in the ZONE column to include only those
# hosts routed through the interface.
#
# WARNING: DO NOT SET THE detectnets OPTION ON YOUR
# INTERNET INTERFACE!
#
# The order in which you list the options is not # The order in which you list the options is not
# significant but the list should have no embedded white # significant but the list should have no embedded white
# space. # space.

View File

@ -94,7 +94,7 @@
# #
# You want all outgoing traffic from 192.168.1.0/24 through # You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176 which is NOT the # eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to # primary address of eth0. You want 206.124.146.176 to
# be added to eth0 with name eth0:0. # be added to eth0 with name eth0:0.
# #
# eth0:0 192.168.1.0/24 206.124.146.176 # eth0:0 192.168.1.0/24 206.124.146.176

View File

@ -2,7 +2,12 @@ This is a minor release of Shorewall.
Problems Corrected since version 1.4.9: Problems Corrected since version 1.4.9:
None. 1. The column descriptions in the action.template file did not match
the column headings. That has been corrected.
2. The presence of IPV6 addresses on devices generates error messages
during [re]start if ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes are
specified in /etc/shorewall/shorewall.conf.
Migration Issues: Migration Issues:
@ -35,3 +40,12 @@ New Features:
The colon is optionnal when specifying only a user. The colon is optionnal when specifying only a user.
Examples : john: / john / :users / john:users Examples : john: / john / :users / john:users
3) A "detectnets" interface option has been added for entries in
/etc/shorewall/interfaces. This option automatically taylors the
definition of the zone named in the ZONE column to include just
those hosts that have routes through the interface named in the
INTERFACE column. The named interface must be UP prior when
Shorewall is [re]started.
WARNING: DO NOT SET THIS OPTION ON YOUR INTERNET INTERFACE!

View File

@ -1,6 +1,6 @@
%define name shorewall %define name shorewall
%define version 1.4.9 %define version 1.4.10
%define release 1 %define release 0RC1
%define prefix /usr %define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -109,6 +109,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Tue Jan 22 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.10
* Tue Jan 13 2004 Tom Eastep <tom@shorewall.net> * Tue Jan 13 2004 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.9 - Changed version to 1.4.9
* Mon Dec 29 2003 Tom Eastep <tom@shorewall.net> * Mon Dec 29 2003 Tom Eastep <tom@shorewall.net>

View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.9 VERSION=1.4.10-RC1
usage() # $1 = exit status usage() # $1 = exit status
{ {